Technological improvements have allowed businesses and individuals to engage in transactions in new and expanding environments. For example, wireless transactions can be conducted by any electronic device which is enabled to communicate information over any wireless interface including infrared, radio frequency, laser, or any other frequency, communication means or protocol for use therewith.
For example, radio frequency enabled credit cards, debit cards, loyalty cards and the like, collectively known as contactless cards, typically comprise an integrated circuit and a coiled antenna. The integrated circuit of a contactless card comprises a processor, a processor-readable storage medium, such as random access memory (“RAM”) and/or electrically erasable-programmable read only memory (“EEPROM”), and a modulator/demodulator for impressing data on a radio frequency wave and decoding received data. The antenna is coiled through the interior of the contactless card and is used to communicate data with an external location. In addition, the coiled antenna can inductively couple with an external magnetic, electric and/or electromagnetic field to serve as a power source for the contactless card.
Contactless cards provide issuers with the opportunity to provide cardholders with innovative technology that, due to the increased convenience of use and speed of completing a transaction, will, in general, by preferred by cardholders. In addition, contactless cards provide increased cost savings to merchants due, at least, to reduced maintenance costs associated with contactless card readers versus contact-based card readers. Further, contactless cards provide merchants with the opportunity for increased revenues due, at least, to the reduced time needed at check-out for payment to be provided by the consumer using a contactless card. Contactless integrated circuit cards also provide significant convenience to the cardholder since such cards allow a consumer to conduct a transaction more quickly and conveniently than in a contact-based environment. For example, a contactless card can remain in the physical possession of the cardholder at all times since all of the data necessary to complete a transaction can be transferred via a wireless interface. This feature provides the cardholder with an increased level of security as it reduces the likelihood that the card will pass through an unauthorized reader that steals data from the card for the purpose of creating a counterfeit card.
Nonetheless, such benefits must be balanced against potential security breaches stemming from the use of contactless cards that are absent in a contact-based environment. In particular, security issues can arise when information that is transmitted between a card and a contactless card reader is intercepted during transmission. Potential security breaches stemming from the use of contactless cards include data “hijacking”, data “pick-pocketing” and “man in the middle” attacks.
A hijacking attack occurs when a party not involved in a contactless card transaction taps into a data exchange occurring as part of the transaction to extract information transmitted between the contactless card and a contactless card reader. Not surprisingly, the ability of a fraudulent device to obtain valid data is inversely proportional to the distance between the hijacking device and the card reader and/or the contactless card. In other words, the likelihood of the hijacking device successfully obtaining valid data from the transaction increases as the distance between the hijacking device and a card reader and/or a contactless card decreases.
A pick-pocketing attack occurs when a fraudulent device activates and reads a contactless card without the cardholder's knowledge. Data pick-pocketing may even occur when the card is not being used in a transaction. The pick-pocketing device can activate the card and initiate a data exchange. Data is obtained from the card by the pick-pocketing device using legitimate commands that cause the card to react as if the data exchange were legitimate. Since a contactless card transmits data as radio frequency waves propagating from a single source, a contactless card can be subject to such an attack in locations and from sources of which the cardholder is not aware. Again, the ability for a fraudulent device to obtain valid data is inversely proportional to the distance between the contactless card and the fraudulent device.
A “man in the middle” attack occurs when an exchange between a contactless card and a legitimate card reader is unknowingly intercepted by an unauthorized device. The unauthorized device intercepts the data transmitted by the card, copies or otherwise manipulates such data, and transmits such data to the legitimate card reader. When the card reader returns data or transmits commands to the card, the unauthorized device first intercepts and then transmits such data/commands to the card. The transaction can continue with the unauthorized device intercepting and re-transmitting all data/commands exchanged between the card and the legitimate card reader. As such, the unauthorized device has access to all data for the transaction without the knowledge of either the cardholder or the merchant operating the card reader.
Accordingly, consumers and organizations have concerns regarding the possibility that a contactless card could permit information to be taken without the cardholder's authorization. What is needed is a method and system for inhibiting unauthorized accesses to contactless cards.
A need exists for a method and system that permits a cardholder of a contactless card to determine when a transaction is initiated.
A further need exists for a method and system that controls data reception and transmission for a contactless card.
The present disclosure is directed to solving one or more of the above-listed problems.